Details

Without cryptographic integrity protections, information can be altered by unauthorized users without detection.

Although allowed by SP800-131Ar2 for some applications, SHA-1 is considered a compromised hashing standard and is being phased out of use by industry and Government standards. Unless required for legacy use, DoD systems should not be configured to use SHA-2 for integrity of remote access sessions.

Solution

Configure the ASA to use FIPS-validated SHA-2 or higher for IKE Phase 1 as shown in the example below.

ASA2(config)# crypto ikev2 policy 1
ASA2(config-ikev2-policy)# integrity sha256

Supportive Information

The following resource is also helpful.

• https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Cisco_ASA_STIG.zip

This security hardening control applies to the following category of controls within NIST 800-53: Identification and Authentication.This control applies to the following type of system Cisco.

References

• 800-53|IA-7
• CAT|II
• CCI|CCI-000803
• Rule-ID|SV-239958r769246_rule
• STIG-ID|CASA-VN-000230
• Vuln-ID|V-239958

Source

• Tenable.com/audits